Understanding Alertus System Security
The Alertus Emergency Mass Notification System is an industry-leading, powerful, and flexible solution. For over a decade, we’ve seamlessly integrated with and provided potentially life-saving alerts across organizations’ existing infrastructures and technologies, including desktop computers, PA systems, VoIP phones, digital signage, mobile devices, fire panels, and more. We pride ourselves on our ability to help you defend against physical attacks, but did you know that we work equally as hard to make sure our system is safe from cyber attacks?
We sat down with Alertus’ own Gary El-Gamil, Director of Software Engineering, to discuss the safeguards that are put in place to ensure that our system security is one less concern for our customers.
From its inception, the Alertus System was designed with an emphasis on security. We strive to update all of our software components (MySQL, Apache, Tomcat, Java) and even hire external consultants to perform full security audits.
Alert Beacon Security
Alert Beacons are programmed to “pull” data from a hardcoded Alertus server address for each organization. This is more secure than a “push” based method since no listening ports are opened on the device. Additionally, Alert Beacons using Ethernet, or Wi-Fi only connect to the server approximately every 20 seconds and shut off the network connection immediately after each request.
All communication between the Alert Beacons and server is sent using our proprietary Alertus Alert Protocol. Alert Beacons can only process alerts that are in a valid format. In addition, this payload is encrypted using 128 bit AES encryption. We generate a unique key for each customer. The AES key on the server is stored in a password-encrypted keystore and requires physical access to the machine.
Alertus System Security
Alertus Desktop clients use Private Key Infrastructure (PKI) to verify the integrity of alerts and prevent against man in the middle attacks.
The Alertus Activation Software can be configured to use HTTPS using an SSL certificate provided by the organization. This prevents someone on the network from obtaining passwords passed between the client and server.
Integration with third party applications occurs using the Alertus SOAP over port 8280, or a secure HTTPS port of the organization’s choosing. The organization is instructed to setup firewall rules to only allow access to the static IPs of the integration partner. The Alertus REST API uses HTTPS over port 443. Additionally, the Alertus System has application level security that can only allows requests from whitelisted IP addresses. Any unauthorized requests are logged and reported to Alertus. Since we encrypt the messages sent to Alert Beacons, unencrypted Wi-Fi can safely be used.